a coworker suggested i change max_log_file_action to KEEP_LOGS instead of ROTATE in /etc/audit/auditd.conf. this did the trick. auditd was generating too many logs and activating log rotation. i ran a test after the change and the lower ports that did not show up previously, showed up in the logs
thanks, yah -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
